none
Error 5: Access has been denied while mapping a windows 2008 share Folder RRS feed

  • Question

  • Hello
     
    I'm having an issue when mapping a win2008 share folder when booting from CD, Floppy or USB. I can boot from any of the above devices okay and but then I put my credentials I receive the message Error 5: Access has been denied. 
     
    I do not have this problem with Windows Server 2003.  The folder permissions are set so the non-domain account i'm using has full access within the shared and NTFS settings. I've changed the following local policies on the win2008 server but still no cigar;
     
    Microsoft Network Client (always).. to enable
    If server agrees... to enable
    Send unencrypted password... to disable
    If client agrees... to enable
    Disconnect client when logon... to enable
    Network security: Do Not Store LAN Manager Hash Value... to disable
    Network security: LAN Manager authentication level... to sent NTLM response only
     
    Can anyone assist with this problem? 
     
    Thx.
     
    Tuesday, September 23, 2008 8:13 PM

Answers

  • Here's what I did to solve this problem, hope it works for you.

     Set the following group policy settings:
    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options:

        Network Security: Do not store LAN Manager hash value on next password change - SET TO DISABLE

        Network Security: LAN Manager authentication level - SET TO SEND LM & NTLM - USE NTLM v2 IF NEGOTIATED

    Refresh group policy by restarting the computer or typing gpupdate /force in the run dialog box.

    Reset the password on the user account.  The password needs to be reset so that it stores the older LAN Manager hash value.


    Hope this helps someone.
    Friday, February 6, 2009 9:46 PM
  • Think I may have solved it.  Attempting to reproduce it.
    Friday, September 26, 2008 7:07 PM

All replies

  •  

    Hello,

     

    Before going further, I would like to confirm the following points:

     

    1.    Did you boot into Command prompt in recovery console or WinPE to map a network drive on Windows Server 2008?

    2.    Is the client computer running Windows XP or Windows Vista?

    3.    What’s the result if inputting the default administrator account and password?

    4.    Can you map other network drives, from the same Windows Server 2008 computer and other computers?

    5.    Could you let me know the detailed steps about how you try to map the network drive?

    6.    What’s the exact wording of the error message?

     

    Now I suggest inputting a different user name and password when you are prompted to enter credentials.

     

    In addition, let’s disable “Use Sharing Wizard”

     

    1.    Open Folder Options in Control Panel.

    2.    On the View tab, uncheck the box before “Use Sharing Wizard (Recommanded)”.

    3.    Click OK.

     

    In Windows Server 2003, we can configure the following group policies to enable DOS client access. I have not tested if they also work on Windows Server 2008. You can have a try.

     

    [Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Lan Manager Authentication Level] -> LM, NTLM responses

    [Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally Signed Communications (Always)]  Disabled

     

    If this problem continues, please change the following registry keys on the server to test:

     

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - restrictanonymous = 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - restrictanonymoussam = 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - everyoneincludesanonymous = 1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - nolmhash = 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - lmcompatibilitylevel = 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters - requiresecuritysignature =0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters - requiresecuritysignature = 0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters - restrictnullsessaccess = 0

     

    Hope it helps.

     

    Tim Quan - MSFT

    Wednesday, September 24, 2008 10:29 AM
    Moderator
  • 1. Did you boot into Command prompt in recovery console or WinPE to map a network drive on Windows Server 2008?

     I tried booting from customized boot disk made from the following:
        A.  Power Quest (Now Symantec)
        B.  Ultimate Boot CD

    2. Is the client computer running Windows XP or Windows Vista?  Windows XP

    3. What’s the result if inputting the default administrator account and password?
    I got the same results.

    4. Can you map other network drives, from the same Windows Server 2008 computer and other computers? Cannot map to any shared folders on Windows Server 2008 from DOS but I can map using windows.  I can map to Windows Server 2003 from DOS without any problems.

    5. Could you let me know the detailed steps about how you try to map the network drive? Example, I created a customized boot disk using the PowerQuest boot disk wizard. All the correct parameters were specified including servername or server IP, net use G: \\servername\images, and username. When I boot from the disk or USB device it prompts for a and password. Once I type in the password and press enter it displays the error.

    6. What’s the exact wording of the error message? Error 5: Access has been denied.

    7. Disabling the "Use Sharing Wizard" and modifying the registry did not make any difference.

    Event log

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          9/24/2008 1:18:03 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      Imaging
    Description:
    An account failed to log on.

    Subject:
     Security ID:  NULL SID
     Account Name:  -
     Account Domain:  -
     Logon ID:  0x0

    Logon Type:   3

    Account For Which Logon Failed:
     Security ID:  NULL SID
     Account Name:  testing
     Account Domain:  

    Failure Information:
     Failure Reason:  Unknown user name or bad password.
     Status:   0xc000006d
     Sub Status:  0xc000006a

    Process Information:
     Caller Process ID: 0x0
     Caller Process Name: -

    Network Information:
     Workstation Name: \\DM141E0C0D
     Source Network Address: 10.132.53.164
     Source Port:  47196

    Detailed Authentication Information:
     Logon Process:  NtLmSsp
     Authentication Package: NTLM
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>4625</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2008-09-24T20:18:03.818Z" />
        <EventRecordID>599</EventRecordID>
        <Correlation />
        <Execution ProcessID="600" ThreadID="692" />
        <Channel>Security</Channel>
        <Computer>imaging</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="TargetUserSid">S-1-0-0</Data>
        <Data Name="TargetUserName">testing</Data>
        <Data Name="TargetDomainName">
        </Data>
        <Data Name="Status">0xc000006d</Data>
        <Data Name="FailureReason">%%2313</Data>
        <Data Name="SubStatus">0xc000006a</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">NtLmSsp </Data>
        <Data Name="AuthenticationPackageName">NTLM</Data>
        <Data Name="WorkstationName">\\DM141E0C0D</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x0</Data>
        <Data Name="ProcessName">-</Data>
        <Data Name="IpAddress">10.132.53.164</Data>
        <Data Name="IpPort">47196</Data>
      </EventData>
    </Event>


     

    Wednesday, September 24, 2008 6:23 PM
  •  

    Hi,

     

    Thank you for the reply.

     

    Did you use the following command to map the Z: drive to the network path //computer/folder?

     

    net use z: \\computer\folder

     

    Can you access the shared folder in DOS?

     

    Can you ping the Windows Server 2008 computer in DOS?

     

    Please grant the shared folder everyone full control.

     

    1.    Right-click the shared folder and click Properties.

    2.    On the Sharing tab, click Advanced Sharing.

    3.    Click Permissions.

    4.    Click Everyone and check the Allow box beside Full Control.

    5.    Click OK twice.

    6.    On the Security tab, Click Edit.

    7.    Click Add, type Everyone and click OK.

    8.    Click Everyone and check the Allow box beside Full Control

    9.    Click OK.

     

    If the issue persists, I suggest using the following method to create a MS-DOS bootable diskette

     

    1.    When formatting a floppy diskette, users have the option of creating a MS-DOS startup disk, follow the below steps to do this.

    2.    Place diskette in the computer.

    3.    Open My Computer, right-click the A: drive and click Format.

    4.    In the Format window, check Create an MS-DOS startup disk.

    5.    Click Start.

     

    Once the bootable diskette has been successfully created, following the below steps you will be able to boot from the diskette.

     

    1.    Place the diskette into write-protect mode (in case a virus is on the computer, this will not allow the virus to transfer itself onto the diskette).

    2.    Insert the diskette into the computer and reset or turn on the computer to begin the boot process.

    3.    As the computer is booting, answer the questions prompted (if any).

    4.    Once at the A:\> take the appropriate actions depending upon the situation of the computer.

    5.    If you are unfamiliar with MS-DOS we recommend you see our MS-DOS page. 

     

    If the issue still occurs, I am afraid that DOS may be incompatible with Windows Server 2008.

     

    Tim Quan - MSFT

    Thursday, September 25, 2008 10:20 AM
    Moderator
  • I issued the net use z: \\servername\shared but is still unable to access the Windows Server 2008 share from DOS.  Even after granting full rights to the everyone account.  The new boot disk did not make any difference.  I can ping the server from DOS.  It prompts for password when the net use command is issued but continues to fail.    

    Errror 5:  Access has been denied.

       
    Thursday, September 25, 2008 3:15 PM
  • Made some progress but still trying to pinpoint the cause.
    Friday, September 26, 2008 3:33 PM
  • Think I may have solved it.  Attempting to reproduce it.
    Friday, September 26, 2008 7:07 PM
  • M. Quan,

    Have you solved it?  Did you find a solution?

    I've got the same problem.

    Thanks
    Friday, January 16, 2009 6:57 PM
  • dcphq said:

    Think I may have solved it.  Attempting to reproduce it.



    Did you solved this issue? If so, can you please share?

    I am having the same issue.

    Monday, January 26, 2009 6:04 PM
  • Here's what I did to solve this problem, hope it works for you.

     Set the following group policy settings:
    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options:

        Network Security: Do not store LAN Manager hash value on next password change - SET TO DISABLE

        Network Security: LAN Manager authentication level - SET TO SEND LM & NTLM - USE NTLM v2 IF NEGOTIATED

    Refresh group policy by restarting the computer or typing gpupdate /force in the run dialog box.

    Reset the password on the user account.  The password needs to be reset so that it stores the older LAN Manager hash value.


    Hope this helps someone.
    Friday, February 6, 2009 9:46 PM
  •  Worked for me!  My scenario was DOS boot to an XP Pro desktop.  Am able to map a drive from DOS boot, now.
    Monday, March 23, 2009 5:40 PM
  • My scenario was one MS-DOS machine trying to map a share on a Vista machine. After having tried all the obvious things I came across your advice; and YES now it works. Thanks! How did you get the idea to solve it this way?
    Friday, November 13, 2009 10:50 PM
  • Why not do this in "Local Security Policy"? By using GPO you can do this for all the servers in a OU, but by setting this in Local Security Policy you can loosen up this security just for one server. It worked for me, and it is the same settings / values as Justin T. is talking about:

    Administrative Tools - Local Security Policy - Local Policies - Security Options:
      Network Security: Do not store LAN Manager hash value on next password change - SET TO DISABLE
      Network Security: LAN Manager authentication level - SET TO SEND LM & NTLM - USE NTLM v2 IF NEGOTIATED

    Thursday, January 7, 2010 12:33 PM
  • Good point - AND, we must consider the case (such as mine) where a machine is 'outside the domain' in a Workgroup.

    I have similar issue.

    Machine B is Server 2008 - I have shared the folder, set permissions as needed, but even with mapping explicitly with the "administrator" and password to the 'share' - it gives "access denied" if trying to copy file from XP (Machine A) at the command shell, to the share on the 2008 server (Machine B).

    BUT, if I happen to map to the 'drive' - the NTFS permissions work fine - i.e., net use * \\2008server\c$ /user:administrator *

    I have yet to try the policies mentioned, but am doing that now - and will report back.

    Note: This is a LOT of extra effort just to do things that automatically happened in 2003 server - and I do indeed respect the fact of having more tightened and heightened security, BUT if I say "share this folder as a share, and allow UserX to be able to modify it, from both Share Level and NTFS folder/file level," then I expect the system and/or policies to adjust accordingly - or to provide an intelligible response such as, "Hey Mr. admin-guy - the policies you have set may need to be adjusted in order to allow proper sharing from other systems." But... maybe it's just me. Thanks.

    Friday, May 14, 2010 12:55 PM
  • The policy settings did not make a difference for me - actually, my problem was "perceived;" i.e. end-user problem on my part (LOL).

    When I mapped properly, WITH "administrator," it worked fine.

    In the related problem that was reported to me: When the user mapped to the share via the non-admin user, he was unable to copy files to the share.

    I told the user to ensure that the NON-admin account also has "log on as batch" and/or "log on as a service" as needed.

    Note: I verified that the non-admin user has modify/write access to both the Share and the NTFS levels.

    Friday, May 14, 2010 1:42 PM
  • Thanks, it helped to me.
    Wednesday, March 16, 2011 9:46 PM
  • We recently set up a machine company that uses almost all DOS machines for tools. The proposed solution at the top was the perfect fix we have been looking for. I have been searching for almost a week and myself and another co-worker found this solution at the same time and it worked. We are an MSP so changing most clients have file server, print server and DC all in one. Our domain policies over ride this so we have to make a secondary file/app/print server (which is what i am accustomed too in my previous life) so not a huge deal. Thank you so much for this solution.
    Tuesday, July 19, 2011 4:56 PM
  • Trying to setup a Fryer CNC machine with a Analam 3000/3300 control which runs DOS. I installed "MS-DOS Network Client 3.0" and after a ton of hours finally got the NIC drivers to fire up with TCP/IP. I ran into the same problem as the guy above. I spent countless hours trying to make this work on Vista and Windows 7 and got nowhere.

     

    The solution above was the correct fix and resolved my problem. Thank you so much for spending the time to document this. It has made me a hero in my company.

    *NOTE*   The above really does work, don't forget to reset that password though.

    Thursday, August 18, 2011 7:26 AM
  • Bingo that did it for me, thanks Justin and all.

    Oh and I was using NetBoot 6.5 to install a Ghost Image on Windows 7 computer.

    • Edited by Axehole Wednesday, September 21, 2011 10:49 PM
    Wednesday, September 21, 2011 10:48 PM
  • Thanks so much! We've spent three nights trying to solve the same problem, trying to connect shared folder from Windows XP desktop to Schirmer Machinery.

    This thing is not translatable: Кланяемся в ноги и от всей души благодарим! Спасибо тебе добрый человек! Ибо уже три ночи трахаемся с этим станком и не можем победить никак!


    Stanislav Kaliyev

    Thursday, August 16, 2012 4:41 PM
  • Hi!

    Hi!

    Hi!

    There are 2 other things you should check in the windows registry  

    1. Open start menu

    2. type regedit and press enter

    3. in the registry editor navigate to the following place:

    HKEY_COCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

    4. Check wether the following variables are set to value 0!

    requiresecuritysignature  -> set it to 0

    enableauthenticateusersharing -> set it to 0

    These are the final settings that solved my problem, so I can now connect to my windows 2008 R2 server shared folder with MS-DOS network client 3.0

    Sunday, October 28, 2012 8:38 AM
  • Justin, thanks a lot for the tips!

    I had better luck with changing the group policies rather then going thru the local policies. 

    Changing 

    Network Security: Do not store LAN Manager hash value on next password change - SET TO DISABLE
    Network Security: LAN Manager authentication level - SET TO SEND LM & NTLM - USE NTLM v2 IF NEGOTIATED

    alone did not do the trick for me (I still got error 5 message on the client). I had to additionally disable

    Microsoft network server: Digitally sign communications (always)to make it work.

    Cheers!

    PS My problem was accessing a share on Windows Server 2008 from an MS-DOS 6.22 / MS Network Client 3.0 PC

    Friday, March 1, 2013 12:39 AM
  • can anyone tell me "where" these changes where applied?

    was it on the file server? Was it on the domain controllers? Was it a combination? Domain Policy, Domain controller policy?

    Thanks!


    • Edited by jamicon Friday, November 22, 2013 6:20 PM
    Friday, November 22, 2013 6:20 PM
  • FYIDid the instructions listed, and a few other things (which I probably didn't need to do) to gain access to Server 2012 as well from a DOS bootable USB stick (formatted like a floppy, i.e. Deleted primary DOS partition then formatted as B:). Thanks!
    Friday, May 8, 2015 8:46 PM